updated 09:18 pm EST, Thu December 26, 2013

Ephemeral message service sender's privacy potentially in danger

An unpatched code flaw in Snapchat's API is allowing rogue coders to generate a script to associate actual phone numbers with Snapchat user names, display names, and account privacy settings. This information, combined with other data breaches can be sold, as well as pose a significant amount of data on a Snapchat user that has been identified in such a matter.

Snapchat is a service which allows users to exchange videos or messages that Snapchat deletes after ten seconds after they are opened. The exploit doesn't change this fact, but does give API script users implementing the undocumented hooks more access to personal information about the senders. Gibson Security claims that the hooks are easily removable from the API, and can be deleted with little effect to the rest of the API.

Researchers at Gibson Security published the undocumented hooks in the Snapchat API, after being ignored by Snapchat since August. Gibson Security told ZDnet in an email that a coded script harvesting user data could "automatically build profiles about users, which could be sold for a lot of money."